Message ID | 20221206160016.4029521-1-archana.polampalli@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,kirkstone,1/1] xfce4-settings: Fix CVE-2022-45062 | expand |
On 12/6/22 11:00 AM, Polampalli, Archana wrote: > Escape characters which do not belong into an URI/URL > In order to prevent argument injection in Xfce xfce4-settings > > References: > https://nvd.nist.gov/vuln/detail/CVE-2022-45062 > > Upstream Status: Backport from > https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7 > > Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> > --- > .../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++ > .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- > 2 files changed, 85 insertions(+), 1 deletion(-) > create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch > > diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch > new file mode 100644 > index 000000000..5384617d5 > --- /dev/null > +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch This patch itself is missing the standard patch information like; Upstream-Status: CVE: Signed-off-by: For additional information: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines - armin > @@ -0,0 +1,83 @@ > +commit 55e3c5fb667e96ad1412cf249879262b369d28d7 > +Author: Alexander Schwinn <alexxcons@xfce.org> > +Date: Mon Nov 7 09:56:31 2022 +0100 > + > + Escape characters which do not belong into an URI/URL (Issue #390) > + > + In order to prevent argument injection > + > +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c > +index 7149951f..b797e03b 100644 > +--- a/dialogs/mime-settings/xfce-mime-helper.c > ++++ b/dialogs/mime-settings/xfce-mime-helper.c > +@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, > + gint status; > + gint result; > + gint pid; > +- const gchar *real_parameter = parameter; > ++ gchar *real_parameter = NULL; > + > + // FIXME: startup-notification > + > +@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, > + if (G_UNLIKELY (screen == NULL)) > + screen = gdk_screen_get_default (); > + > +- /* strip the mailto part if needed */ > +- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:")) > +- real_parameter = parameter + 7; > ++ if (parameter != NULL) > ++ { > ++ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER) > ++ { > ++ /* escape characters which do not belong into an URI/URL */ > ++ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE); > ++ } > ++ else if (g_str_has_prefix (real_parameter, "mailto:")) > ++ { > ++ /* strip the mailto part if needed */ > ++ real_parameter = g_strdup (parameter + 7); > ++ } > ++ else > ++ { > ++ real_parameter = g_strdup (parameter); > ++ } > ++ } > + > + /* determine the command set to use */ > +- if (exo_str_is_flag (real_parameter)) { > +- commands = helper->commands_with_flag; > +- } else if (exo_str_is_empty (real_parameter)) { > +- commands = helper->commands; > +- } else { > +- commands = helper->commands_with_parameter; > +- } > ++ if (exo_str_is_flag (real_parameter)) > ++ { > ++ commands = helper->commands_with_flag; > ++ } > ++ else if (exo_str_is_empty (real_parameter)) > ++ { > ++ commands = helper->commands; > ++ } > ++ else > ++ { > ++ commands = helper->commands_with_parameter; > ++ } > + > + /* verify that we have atleast one command */ > + if (G_UNLIKELY (*commands == NULL)) > + { > + g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified")); > ++ g_free (real_parameter); > + return FALSE; > + } > + > +@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, > + if (G_UNLIKELY (!succeed)) > + g_propagate_error (error, err); > + > ++ g_free (real_parameter); > + return succeed; > + } > + > diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > index aa4265f7b..6757c48f4 100644 > --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb > @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg > > REQUIRED_DISTRO_FEATURES = "x11" > > -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" > +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \ > + file://CVE-2022-45062.patch" > SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e" > > EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#99959): https://lists.openembedded.org/g/openembedded-devel/message/99959 > Mute This Topic: https://lists.openembedded.org/mt/95495939/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Please ignore this mail, Regards, Archana
diff --git a/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch new file mode 100644 index 000000000..5384617d5 --- /dev/null +++ b/meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch @@ -0,0 +1,83 @@ +commit 55e3c5fb667e96ad1412cf249879262b369d28d7 +Author: Alexander Schwinn <alexxcons@xfce.org> +Date: Mon Nov 7 09:56:31 2022 +0100 + + Escape characters which do not belong into an URI/URL (Issue #390) + + In order to prevent argument injection + +diff --git a/dialogs/mime-settings/xfce-mime-helper.c b/dialogs/mime-settings/xfce-mime-helper.c +index 7149951f..b797e03b 100644 +--- a/dialogs/mime-settings/xfce-mime-helper.c ++++ b/dialogs/mime-settings/xfce-mime-helper.c +@@ -415,7 +415,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, + gint status; + gint result; + gint pid; +- const gchar *real_parameter = parameter; ++ gchar *real_parameter = NULL; + + // FIXME: startup-notification + +@@ -427,23 +427,43 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, + if (G_UNLIKELY (screen == NULL)) + screen = gdk_screen_get_default (); + +- /* strip the mailto part if needed */ +- if (real_parameter != NULL && g_str_has_prefix (real_parameter, "mailto:")) +- real_parameter = parameter + 7; ++ if (parameter != NULL) ++ { ++ if (helper->category == XFCE_MIME_HELPER_WEBBROWSER || helper->category == XFCE_MIME_HELPER_FILEMANAGER) ++ { ++ /* escape characters which do not belong into an URI/URL */ ++ real_parameter = g_uri_escape_string (parameter, ":/?#[]@!$&'()*+,;=%", TRUE); ++ } ++ else if (g_str_has_prefix (real_parameter, "mailto:")) ++ { ++ /* strip the mailto part if needed */ ++ real_parameter = g_strdup (parameter + 7); ++ } ++ else ++ { ++ real_parameter = g_strdup (parameter); ++ } ++ } + + /* determine the command set to use */ +- if (exo_str_is_flag (real_parameter)) { +- commands = helper->commands_with_flag; +- } else if (exo_str_is_empty (real_parameter)) { +- commands = helper->commands; +- } else { +- commands = helper->commands_with_parameter; +- } ++ if (exo_str_is_flag (real_parameter)) ++ { ++ commands = helper->commands_with_flag; ++ } ++ else if (exo_str_is_empty (real_parameter)) ++ { ++ commands = helper->commands; ++ } ++ else ++ { ++ commands = helper->commands_with_parameter; ++ } + + /* verify that we have atleast one command */ + if (G_UNLIKELY (*commands == NULL)) + { + g_set_error (error, G_SPAWN_ERROR, G_SPAWN_ERROR_INVAL, _("No command specified")); ++ g_free (real_parameter); + return FALSE; + } + +@@ -533,6 +553,7 @@ xfce_mime_helper_execute (XfceMimeHelper *helper, + if (G_UNLIKELY (!succeed)) + g_propagate_error (error, err); + ++ g_free (real_parameter); + return succeed; + } + diff --git a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb index aa4265f7b..6757c48f4 100644 --- a/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb +++ b/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.2.bb @@ -8,7 +8,8 @@ inherit xfce features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch \ + file://CVE-2022-45062.patch" SRC_URI[sha256sum] = "4dd7cb420860535e687f673c0b5c0274e0d2fb67181281d4b85be9197da03d7e" EXTRA_OECONF += "--enable-maintainer-mode --disable-debug"
Escape characters which do not belong into an URI/URL In order to prevent argument injection in Xfce xfce4-settings References: https://nvd.nist.gov/vuln/detail/CVE-2022-45062 Upstream Status: Backport from https://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../xfce4-settings/files/CVE-2022-45062.patch | 83 +++++++++++++++++++ .../xfce4-settings/xfce4-settings_4.16.2.bb | 3 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 meta-xfce/recipes-xfce/xfce4-settings/files/CVE-2022-45062.patch